If I delete port number 636 from config file - everething is OK!
Replication works over the non encrypted connection (port 389).

If you specify port 636 (ldaps), the server expects an SSL handshake first.
With TLS however, an LDAPv3 connection is established first and then
encryption is switched on with the StartTLS exteneded operation. So you
should use the default ldap port with TLS.
The check that the communication is actually encrypted use a tool such as
ethereal.